<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<subsection-title-en>3.1 Cryptographic Primitives</subsection-title-en>
<subsection-title-ch>3.1 密码学基元</subsection-title-ch>
<p-en>
	This section overviews the cryptosystems used by secure architectures. We are interested in cryptographic primitives that guarantee confidentiality, integrity, and freshness, and we treat these primitives as black boxes, focusing on their use in larger systems. [116] covers the mathematics behind cryptography, while [51] covers the topic of building systems out of cryptographic primitives. Tables 10 and 11 summarize the primitives covered in this section.
</p-en>
<p-ch>
	本节概述了安全架构使用的密码系统。我们对保证机密性、完整性和新鲜性的密码学基元感兴趣，我们将这些基元视为黑盒，关注它们在大系统中的使用。[116]涵盖了密码学背后的数学，而[51]则涵盖了用密码学基元构建系统的主题。表10和表11总结了本节涉及的基元。
</p-ch>
<img src="table.10.jpg" width="" height="" alt="" />
<p-en>
	Table 10: Desirable security guarantees and primitives that provide them
</p-en>
<p-ch>
	表10：理想的安全保障和提供这些保障的基元
</p-ch>

<img src="table.11.jpg" width="" height="" alt="" />
<p-en>
	Table 11: Popular cryptographic primitives that are considered to be secure against today's adversaries
</p-en>
<p-ch>
	表11：被认为对今天的敌方是安全的常用密码学基元。
</p-ch>
<p-en>
	A message whose confidentiality is protected can be transmitted over an insecure medium without an adversary being able to obtain the information in the message. When integrity protection is used, the receiver is guaranteed to either obtain a message that was transmitted by the sender, or to notice that an attacker tampered with the message's content.
</p-en>
<p-ch>
	机密性受到保护的电文可以在不安全的媒介上传输，而敌方无法获得电文中的信息。当使用完整性保护时，保证接收者能够获得由发送者传送的电文，或注意到攻击者篡改了电文的内容。
</p-ch>
<p-en>
	When multiple messages get transmitted over an untrusted medium, a freshness guarantee assures the receiver that she will obtain the latest message coming from the sender, or will notice an attack. A freshness guarantee is stronger than the equivalent integrity guarantee, because the latter does not protect against replay attacks where the attacker replaces a newer message with an older message coming from the same sender.
</p-en>
<p-ch>
	当多条信息在一个不受信任的媒介上传输时，新鲜性保证可以向接收者保证，她将获得来自发送者的最新信息，或者将注意到攻击。新鲜性保证比同等的完整性保证更强，因为后者不能防止重播攻击，即攻击者用来自同一发送者的旧信息替换较新的信息。
</p-ch>
<p-en>
	The following example further illustrates these concepts. Suppose Alice is a wealthy investor who wishes to either BUY or SELL an item every day. Alice cannot trade directly, and must relay her orders to her broker, Bob, over a network connection owned by Eve.
</p-en>
<p-ch>
	下面的例子进一步说明了这些概念。假设Alice是一个富有的投资者，她希望每天都能买入或卖出一个商品。Alice不能直接进行交易，必须通过Eve拥有的网络连接将她的订单转发给她的经纪人Bob。
</p-ch>
<p-en>
	A communication system with confidentiality guarantees would prevent Eve from distinguishing between a BUY and a SELL order, as illustrated in Figure 32. Without confidentiality, Eve would know Alice's order before it is placed by Bob, so Eve would presumably gain a financial advantage at Alice's expense.
</p-en>
<p-ch>
	如图32所示，一个具有机密性保证的通信系统将防止Eve区分 "买 "和 "卖 "订单。在没有机密性的情况下，Eve会在Bob下单之前就知道Alice的订单，所以Eve大概会以牺牲Alice的利益为代价获得经济上的好处。
</p-ch>
<img src="fig.32.jpg" width="" height="" alt="" />
<p-en>
	Figure 32: In a confidentiality attack, Eve sees the message sent by Alice to Bob and can understand the information inside it. In this case, Eve can tell that the message is a buy order, and not a sell order.
</p-en>
<p-ch>
	图32: 在机密性攻击中，Eve看到了Alice发给Bob的信息 并能理解其中的信息。在这种情况下，Eve可以判断出该信息是一个买单，而不是一个卖单。
</p-ch>
<p-en>
	A system with integrity guarantees would prevent Eve from replacing Alice's message with a false order, as shown in Figure 33. In this example, without integrity guarantees, Eve could replace Alice's message with a SELL-EVERYTHING order, and buy Alice's assets at a very low price.
</p-en>
<p-ch>
	如图33所示，一个具有完整性保证的系统将防止Eve用虚假订单替换Alice的消息。在这个例子中，如果没有诚信保证，Eve可以用SELL-EVERYTHING订单代替Alice的消息，并以很低的价格购买Alice的资产。
</p-ch>
<img src="fig.33.jpg" width="" height="" alt="" />
<p-en>
	Figure 33: In an integrity attack, Eve replaces Alice's message with her own. In this case, Eve sends Bob a sell-everything order. In this case, Eve can tell that the message is a buy order, and not a sell order.
</p-en>
<p-ch>
	图33: 在完整性攻击中，Eve用自己的信息替换了Alice的信息。在这种情况下，Eve给Bob发送了一个卖出一切的订单。在这种情况下，Eve可以判断出该消息是一个买单，而不是一个卖单。
</p-ch>
<p-en>
	Last, a communication system that guarantees freshness would ensure that Eve cannot perform the replay attack pictured in Figure 34, where she would replace Alice's message with an older message. Without freshness guarantees, Eve could mount the following attack, which bypasses both confidentiality and integrity guarantees. Over a few days, Eve would copy and store Alice's messages from the network. When an order would reach Bob, Eve would observe the market and determine if the order was BUY or SELL. After building up a database of messages labeled BUY or SELL, Eve would replace Alice's message with an old message of her choice.
</p-en>
<p-ch>
	最后，一个保证新鲜性的通信系统将确保Eve不能执行图34中所示的重放攻击，即她会用一个旧的消息替换Alice的消息。在没有新鲜性保证的情况下，Eve可以发动以下攻击，它绕过了机密性和完整性保证。在几天的时间里，Eve会从网络中复制和存储Alice的消息。当一个订单会到达Bob手中时，Eve会观察市场并判断这个订单是BUY还是SELL。在建立了一个标有 "买 "或 "卖 "的信息数据库后，Eve会用她选择的旧信息替换爱丽丝的信息。
</p-ch>
<img src="fig.34.jpg" width="" height="" alt="" />
<p-en>
	Figure 34: In a freshness attack, Eve replaces Alice's message with a message that she sent at an earlier time. In this example, Eve builds a database of labeled messages over time, and is able to send Bob her choice of a BUY or a SELL order.
</p-en>
<p-ch>
	图34[<remark-ch>这个图跟上图完全一样,估计是配错图了</remark-ch>]: 在新鲜性攻击中，Eve用Alice在更早的时候发送的信息替换了她的信息。在这个例子中，Eve随着时间的推移建立了一个标签消息的数据库，并且能够向Bob发送她选择的BUY或SELL订单。
</p-ch>
<subsubsection-title-en>3.1.1 Cryptographic Keys</subsubsection-title-en>
<subsubsection-title-ch>3.1.1 密码学钥</subsubsection-title-ch>

<p-en>
	All cryptographic primitives that we describe here rely on keys, which are small pieces of information that must only be disclosed according to specific rules. A large part of a system's security analysis focuses on ensuring that the keys used by the underlying cryptographic primitives are produced and handled according to the primitives' assumptions.
</p-en>
<p-ch>
	我们在此描述的所有密码学基元都依赖于钥，钥是只能根据特定规则披露的小信息。系统安全分析的很大一部分重点是确保基础加密基元使用的钥是根据基元的假设产生和处理的。
</p-ch>
<p-en>
	Each cryptographic primitive has an associated key generation algorithm that uses random data to produce a unique key. The random data is produced by a cryptographically strong[<remark-ch>图35中,S是secure而非strong</remark-ch>] pseudo-random number generator (CSPRNG) that expands a small amount of random seed data into a much larger amount of data, which is computationally indistinguishable from true random data. The random seed must be obtained from a true source of randomness whose output cannot be predicted by an adversary, such as the least significant bits of the temperature readings coming from a hardware sensor.
</p-en>
<p-ch>
	每一个密码学基元都有一个相关的钥生成算法，该算法使用随机数据来产生一个唯一的钥。随机数据是由一个密码学上强的伪随机数生成器(CSPRNG)产生的，该生成器将少量的随机种子数据扩展成一个大得多的数据量，在计算上与真正的随机数据无法区分。随机种子必须从真正的随机性来源中获得，其输出无法被对手预测，例如来自硬件传感器的温度读数的最小有效位。
</p-ch>
<p-en>
	Symmetric key cryptography requires that all the parties in the system establish a shared secret key, which is usually referred to as “the key”. Typically, one party executes the key generation algorithm and securely transmits the resulting key to the other parties, as illustrated in Figure 35. The channel used to distribute the key must provide confidentiality and integrity guarantees, which is a non-trivial logistical burden. The symmetric key primitives mentioned here do not make any assumption about the key, so the key generation algorithm simply grabs a fixed number of bits from the CSPRNG.
</p-en>
<p-ch>
	对称钥密码学要求系统中的所有各方建立一个共享的密钥，通常被称为 "钥"。通常情况下，一方执行钥生成算法，并将所得钥安全地传送给其他各方，如图35所示。用于分发钥的信道必须提供机密性和完整性保证，这是一个不小的后勤负担。这里提到的对称钥基元不对钥做任何假设，所以钥生成算法只是从CSPRNG中抓取固定的比特数。
</p-ch>
<img src="fig.35.jpg" width="" height="" alt="" />
<p-en>
	Figure 35: In symmetric key cryptography, a secret key is shared by the parties that wish to communicate securely.
</p-en>
<p-ch>
	图35: 在对称钥加密法中，密钥由希望安全通信的各方共享。
</p-ch>
<p-en>
	The defining feature of asymmetric key cryptography is that it does not require a private channel for key distribution. Each party executes the key generation algorithm, which produces a private key and a public key that are mathematically related. Each party's public key is distributed to the other parties over a channel with integrity guarantees, as shown in Figure 36. Asymmetric key primitives are more flexible than their symmetric counterparts, but are more complicated and consume more computational resources.
</p-en>
<p-ch>
	非对称钥密码学的定义特征是，它不需要钥分配的私人通道。每一方都执行钥生成算法，产生一个在数学上相关的私钥和一个公钥。每一方的公钥通过具有完整性保证的信道分配给其他各方，如图36所示。非对称钥基元比对称钥基元更灵活，但更复杂，消耗的计算资源也更多。
</p-ch>
<img src="fig.36.jpg" width="" height="" alt="" />
<p-en>
	Figure 36: An asymmetric key generation algorithm produces a private key and an associated public key. The private key is held confidential, while the public key is given to any party who wishes to securely communicate with the private key's holder.
</p-en>
<p-ch>
	图36: 非对称钥生成算法 非对称钥生成算法产生了一把私钥和一把相关的公钥。私钥是机密的，而公钥则提供给任何希望与私钥持有人安全通信的一方。
</p-ch>

<subsubsection-title-en>3.1.2 Confidentiality</subsubsection-title-en>
<subsubsection-title-ch>3.1.2 机密性</subsubsection-title-ch>

<p-en>
	Many cryptosystems that provide integrity guarantees are built upon block ciphers that operate on fixed-size message blocks. The sender transforms a block using an encryption algorithm, and the receiver inverts the transformation using a decryption algorithm. The encryption algorithms in block ciphers obfuscate the message block's content in the output, so that an adversary who does not have the decryption key cannot obtain the original message block from the encrypted output.
</p-en>
<p-ch>
	许多提供完整性保证的密码系统都是建立在对固定大小的信息块进行操作的块加密之上。发送方使用加密算法对信息块进行变换，接收方使用解密算法对变换进行反转。块加密中的加密算法在输出中混淆了消息块的内容，因此没有解密密钥的敌人无法从加密后的输出中获得原始消息块。
</p-ch>
<p-en>
	Symmetric key encryption algorithms use the same secret key for encryption and decryption, as shown in Figure 37, while asymmetric key block ciphers use the public key for encryption, and the corresponding private key for decryption, as shown in Figure 38.
</p-en>
<p-ch>
	对称钥加密算法使用相同的密钥进行加密和解密，如图37所示，而非对称钥块加密则使用公钥进行加密，并使用相应的私钥进行解密，如图38所示。
</p-ch>
<img src="fig.37.jpg" width="" height="" alt="" />
<p-en>
	Figure 37: In a symmetric key secure permutation (block cipher), the same secret key must be provided to both the encryption and the decryption algorithm.
</p-en>
<p-ch>
	图37: 在对称钥安全互换（块加密）中, 加密和解密算法必须使用相同的密钥。
</p-ch>
<img src="fig.38.jpg" width="" height="" alt="" />
<p-en>
	Figure 38: In an asymmetric key block cipher, the encryption algorithm operates on a public key, and the decryption algorithm uses the corresponding private key.
</p-en>
<p-ch>
	图38: 在非对称钥块加密中, 加密算法使用的是公钥, 解密算法使用相应的私钥.
</p-ch>
<p-en>
	The most popular block cipher based on symmetric keys at the time of this writing is the American Encryption Standard (AES) [39, 141], with two variants that operate on 128-bit blocks using 128-bit keys or 256-bit keys. AES is a secure permutation function, as it can transform any 128-bit block into another 128-bit block. Recently, the United States National Security Agency (NSA) required the use of 256-bit AES keys for protecting sensitive information [143].
</p-en>
<p-ch>
	在撰写本文时，最流行的基于对称钥的块加密是美国加密标准(AES)[39，141]，它有两个变体，使用128位钥或256位钥对128位块进行操作。AES是一种安全的置换函数，因为它可以将任何128位块转化为另一个128位块。最近，美国国家安全局（NSA）要求使用256位AES密钥来保护敏感信息[143]。
</p-ch>
<p-en>
	The most deployed asymmetric key block cipher is the Rivest-Shamir-Adelman (RSA) [158] algorithm. RSA has variable key sizes, and 3072-bit key pairs are considered to provide the same security as 128-bit AES keys [20].
</p-en>
<p-ch>
	部署最多的非对称钥块加密是Rivest-Shamir-Delman（RSA）[158]算法。RSA具有可变的钥大小，3072位钥对被认为可以提供与128位AES密钥相同的安全性[20]。
</p-ch>
<p-en>
	A block cipher does not necessarily guarantee confidentiality, when used on its own. A noticeable issue is that in our previous example, a block cipher would generate the same encrypted output for any of Alice's BUY orders, as they all have the same content. Furthermore, each block cipher has its own assumptions that can lead to subtle vulnerabilities if the cipher is used directly.
</p-en>
<p-ch>
	单独使用时，块加密并不一定能保证机密性。一个明显的问题是，在我们之前的例子中，块加密会对Alice的任何一个BUY订单产生相同的加密输出，因为它们都有相同的内容。此外，每个块加密都有自己的假设，如果直接使用块加密，会导致微妙的漏洞。
</p-ch>
<p-en>
	Symmetric key block ciphers are combined with operating modes to form symmetric encryption schemes. Most operating modes require a random initialization vector (IV) to be used for each message, as shown in Figure 39. When analyzing the security of systems based on these cryptosystems, an understanding of the IV generation process is as important as ensuring the confidentiality of the encryption key.
</p-en>
<p-ch>
	对称钥块加密与操作模式相结合，形成对称加密方案。大多数操作模式要求对每个消息使用随机初始化向量（IV），如图39所示。在分析基于这些密码系统的系统安全性时，了解IV的生成过程与确保加密钥的机密性同样重要。
</p-ch>
<img src="fig.39.jpg" width="" height="" alt="" />
<p-en>
	Figure 39: Symmetric key block ciphers are combined with operating modes. Most operating modes require a random initialization vector (IV) to be generated for each encrypted message.
</p-en>
<p-ch>
	图39: 对称钥块加密与操作模式相结合。大多数操作模式要求为每个加密消息生成一个随机初始化向量（IV）。
</p-ch>
<p-en>
	Counter (CTR) and Cipher Block Chaining (CBC) are examples of operating modes recommended [45] by the United States National Institute of Standards and Technology (NIST), which informs the NSA's requirements. Combining a block cipher, such as AES, with an operating mode, such as CTR, results in an encryption method, such as AES-CTR, which can be used to add confidentiality guarantees.
</p-en>
<p-ch>
	计数器(CTR)和加密块链(CBC)是美国国家标准与技术研究院(NIST)推荐的操作模式的例子[45]，它为NSA的要求提供了参考。将AES等块加密与CTR等操作模式结合起来，就会产生AES-CTR等加密方法，可以用来增加机密性保证。
</p-ch>
<p-en>
	In the asymmetric key setting, there is no concept equivalent to operating modes. Each block cipher has its own assumptions, and requires a specialized scheme for general-purpose usage.
</p-en>
<p-ch>
	在非对称钥环境下，没有等同于操作模式的概念。每一种块加密都有自己的假设，一般目的的用途, 需要一个专门的方案.
</p-ch>
<p-en>
	The RSA algorithm is used in conjunction with padding methods, the most popular of which are the methods described in the Public-Key Cryptography Standard (PKCS) #1 versions 1.5 [112] and 2.0 [113]. A security analysis of a system that uses RSA-based encryption must take the padding method into consideration. For example, the padding in PKCS #1 v1.5 can leak the private key under certain circumstances [23]. While PKCS #1 v2.0 solves this issue, it is complex enough that some implementations have their own security issues [134].
</p-en>
<p-ch>
	RSA算法是和填充方法一起使用的，其中最流行的是公钥密码学标准（PKCS）#1版本1.5[112]和2.0[113]中描述的方法。对使用基于RSA的加密的系统进行安全分析必须考虑到填充方法。例如，PKCS #1 v1.5中的填空在某些情况下会泄露私钥[23]。虽然PKCS #1 v2.0解决了这个问题，但它足够复杂，一些实现有自己的安全问题[134]。
</p-ch>
<p-en>
	Asymmetric encryption algorithms have much higher computational requirements than symmetric encryption algorithms. Therefore, when non-trivial quantities of data is encrypted, the sender generates a single-use secret key that is used to encrypt the data, and encrypts the secret key with the receiver's public key, as shown in Figure 40.
</p-en>
<p-ch>
	非对称加密算法的计算要求比对称加密算法高得多。因此，当对非平凡数量的数据进行加密时，发送方生成一个一次性使用的密钥，用于对数据进行加密，并用接收方的公钥对密钥进行加密，如图40所示。
</p-ch>
<img src="fig.40.jpg" width="" height="" alt="" />
<p-en>
	Figure 40: Asymmetric key encryption is generally used to bootstrap a symmetric key encryption scheme.
</p-en>
<p-ch>
	图40: 非对称钥加密一般用于引导对称密钥加密方案。
</p-ch>
<subsubsection-title-en>3.1.3 Integrity</subsubsection-title-en>
<subsubsection-title-ch>3.1.3 完整性</subsubsection-title-ch>

<p-en>
	Many cryptosystems that provide integrity guarantees are built upon secure hashing functions. These hash functions operate on an unbounded amount of input data and produce a small fixed-size output. Secure hash functions have a few guarantees, such as pre-image resistance, which states that an adversary cannot produce input data corresponding to a given hash output.
</p-en>
<p-ch>
	许多提供完整性保证的密码系统都是建立在安全散列函数的基础上。这些散列函数对无限制数量的输入数据进行操作，并产生一个小的固定尺寸的输出。安全散列函数有一些保证，例如预映像抗性，它规定敌人不能产生与给定散列输出相对应的输入数据。
</p-ch>
<p-en>
	At the time of this writing, the most popular secure hashing function is the Secure Hashing Algorithm (SHA) [48]. However, due to security issues in SHA-1 [173], new software is recommended to use at least 256-bit SHA-2 [21] for secure hashing.
</p-en>
<p-ch>
	在撰写本文时，最流行的安全散列函数是安全散列算法（SHA）[48]。然而，由于SHA-1[173]的安全问题，建议新软件至少使用256位的SHA-2[21]进行安全散列。
</p-ch>
<p-en>
	The SHA hash functions are members of a large family of block hash functions that consume their input in fixed-size message blocks, and use a fixed-size internal state. A block hash function is used as shown in Figure 41. An INITIALIZE algorithm is first invoked to set the internal state to its initial values. An EXTEND algorithm is executed for each message block in the input. After the entire input is consumed, a FINALIZE algorithm produces the hash output from the internal state.
</p-en>
<p-ch>
	SHA散列函数是一个庞大的块散列函数家族的成员，它以固定大小的消息块消耗其输入，并使用固定大小的内部状态。如图41所示，使用了一个块散列函数。首先调用INITIALIZE算法，将内部状态设置为初始值。对输入中的每个消息块执行一个EXTEND算法。在消耗完整个输入后，FINALIZE算法产生内部状态的散列输出。
</p-ch>
<img src="fig.41.jpg" width="" height="" alt="" />
<p-en>
	Figure 41: A block hash function operates on fixed-size message blocks and uses a fixed-size internal state.
</p-en>
<p-ch>
	图41: 块散列函数在固定大小的消息块上操作, 并使用固定大小的内部状态。
</p-ch>
<p-en>
	In the symmetric key setting, integrity guarantees are obtained using a Message Authentication Code (MAC) cryptosystem, illustrated in Figure 42. The sender uses a MAC algorithm that reads in a symmetric key and a variable-length message, and produces a fixed-length, short MAC tag. The receiver provides the original message, the symmetric key, and the MAC tag to a MAC verification algorithm that checks the authenticity of the message.
</p-en>
<p-ch>
	在对称钥环境下，使用消息鉴真码（MAC）密码系统获得完整性保证，如图42所示。发送方使用MAC算法，读取对称钥和可变长度的消息，并产生一个固定长度的短MAC标签。接收方将原始电文、对称钥和MAC标签提供给MAC验证算法，该算法检查电文的真实性。
</p-ch>
<img src="fig.42.jpg" width="" height="" alt="" />
<p-en>
	Figure 42: In the symmetric key setting, integrity is assured by computing a Message Authentication Code (MAC) tag and transmitting it over the network along the message. The receiver feeds the MAC tag into a verification algorithm that checks the message's authenticity.
</p-en>
<p-ch>
	图42: 在对称钥环境下，通过计算消息鉴真码（MAC）标签并将其与消息在网络上一起传输来确保完整性。接收者将MAC标签送入一个验证算法，检查消息的真实性。
</p-ch>
<p-en>
	The key property of MAC cryptosystems is that an adversary cannot produce a MAC tag that will validate a message without the secret key.
</p-en>
<p-ch>
	MAC密码系统的关键属性是，敌人没有密钥就不能产生MAC标签来让消息通过验证。
</p-ch>
<p-en>
	Many MAC cryptosystems do not have a separate MAC verification algorithm. Instead, the receiver checks the authenticity of the MAC tag by running the same algorithm as the sender to compute the expected MAC tag for the received message, and compares the output with the MAC tag received from the network.
</p-en>
<p-ch>
	许多MAC密码系统没有单独的MAC验证算法。相反，接收方通过运行与发送方相同的算法来检查MAC标签的真实性，计算所接收信息的预期MAC标签，并将输出结果与从网络接收的MAC标签进行比较。
</p-ch>
<p-en>
	This is the case for the Hash Message Authentication Code (HMAC) [124] generic construction, whose operation is illustrated in Figure 43. HMAC can use any secure hash function, such as SHA, to build a MAC cryptosystem.
</p-en>
<p-ch>
	散列消息鉴真码(HMAC)[124]通用构造就是如此，其操作如图43所示。HMAC可以使用任何安全的散列函数，如SHA，来构建MAC密码系统。
</p-ch>
<img src="fig.43.jpg" width="" height="" alt="" />
<p-en>
	Figure 43: In the symmetric key setting, integrity is assured by computing a Hash-based Message Authentication Code (HMAC) and transmitting it over the network along the message. The receiver re-computes the HMAC and compares it against the version received from the network.
</p-en>
<p-ch>
	图43: 在对称钥环境下，通过计算一个基于散列的消息鉴真码(HMAC)并将其与消息一起在网络上传输，以确保完整性。接收者重新计算HMAC，并将其与从网络上收到的版本进行比较。
</p-ch>
<p-en>
	Asymmetric key primitives that provide integrity guarantees are known as signatures. The message sender provides her private key to a signing algorithm, and transmits the output signature along with the message, as shown in Figure 44. The message receiver feeds the sender's public key and the signature to a signature verification algorithm, which returns TRUE if the message matches the signature, and FALSE if the message has been tampered with.
</p-en>
<p-ch>
	提供完整性保证的非对称钥基元被称为签名。消息发送者将其私钥提供给一个签名算法，并将输出的签名与消息一起传送，如图44所示。信息接收者将发送者的公钥和签名提供给签名验证算法，如果消息与签名匹配，则返回 "真"，如果消息被篡改，则返回 "假"。
</p-ch>
<img src="fig.44.jpg" width="" height="" alt="" />
<p-en>
	Figure 44: Signature schemes guarantee integrity in the asymmetric key setting. Signatures are created using the sender's private key, and are verified using the corresponding public key. A cryptographically secure hash function is usually employed to reduce large messages to small hashes, which are then signed.
</p-en>
<p-ch>
	图44: 签名方案保证非对称钥环境下的完整性。签名是用发送者的私钥创建的，并使用相应的公钥进行验证。通常采用密码学上安全的散列函数，将大的信息归约成小的散列值，然后进行签名。
</p-ch>
<p-en>
	Signing algorithms can only operate on small messages and are computationally expensive. Therefore, in practice, the message to be transmitted is first ran through a cryptographically strong hash function, and the hash is provided as the input to the signing algorithm.
</p-en>
<p-ch>
	签名算法只能对小的消息进行操作，计算成本很高。因此，在实践中，要传输的电文首先要经过密码学上强的散列函数，然后将散列值作为签名算法的输入。
</p-ch>
<p-en>
	At the time of this writing, the most popular choice for guaranteeing integrity in shared secret settings is HMAC-SHA, an HMAC function that uses SHA for hashing.
</p-en>
<p-ch>
	在写这篇文章的时候，保证共享秘密设置中完整性的最流行的选择是HMAC-SHA，HMAC函数使用SHA进行散列。
</p-ch>
<p-en>
	Authenticated encryption, which combines a block cipher with an operating mode that offers both confidentiality and integrity guarantees, is often an attractive alternative to HMAC. The most popular authenticated encryption operating mode is Galois/Counter operation mode (GCM) [137], which has earned NIST's recommendation [47] when combined with AES to form AES-GCM.
</p-en>
<p-ch>
	鉴真加密，将块加密与同时提供机密性和完整性保证的操作模式结合起来，通常是HMAC的一个有吸引力的替代方案。最流行的鉴真加密操作模式是伽罗瓦/计数器操作模式(GCM)[137]，当与AES结合形成AES-GCM时，它赢得了NIST的推荐[47]。
</p-ch>
<p-en>
	The most popular signature scheme combines the RSA encryption algorithms with a padding schemes specified in PKCS #1, as illustrated in Figure 45. Recently, elliptic curve cryptography (ECC) [121] has gained a surge in popularity, thanks to its smaller key sizes. For example, a 384-bit ECC key is considered to be as secure as a 3072- bit RSA key [20, 143]. The NSA requires the Digital Signature Standard (DSS)[142], which specifies schemes based on RSA and ECC.
</p-en>
<p-ch>
	最流行的签名方案结合了RSA加密算法和PKCS #1中规定的填充方案，如图45所示。最近，椭圆曲线密码学（ECC）[121]由于其较小的钥大小，得到了急剧的普及。例如，384位的ECC密钥被认为与3072位的RSA密钥一样安全[20，143]。美国国家安全局要求采用数字签名标准（DSS）[142]，该标准规定了基于RSA和ECC的方案。
</p-ch>
<img src="fig.45.jpg" width="" height="" alt="" />
<p-en>
	Figure 45: The RSA signature scheme with PKCS #1 v1.5 padding specified in RFC 3447 combines a secure hash of the signed message with a DER-encoded specification of the secure hash algorithm used by the signature, and a padding string whose bits are all set to 1. Everything except for the secure hash output is considered to be a part of the PKCS #1 v1.5 padding.
</p-en>
<p-ch>
	图45: RFC 3447规定的带有PKCS #1 v1.5填充的RSA签名方案将被签名消息的安全散列值与签名所使用的安全散列算法的DER编码规格以及位数均为1的填充字符串相结合。除了安全散列输出之外的所有内容都被认为是PKCS #1 v1.5 padding的一部分。
</p-ch>

<subsubsection-title-en>3.1.4 Freshness</subsubsection-title-en>
<subsubsection-title-ch>3.1.4 新鲜性</subsubsection-title-ch>

<p-en>
	Freshness guarantees are typically built on top of a system that already offers integrity guarantees, by adding a unique piece of information to each message. The main challenge in freshness schemes comes down to economically maintaining the state needed to generate the unique pieces of information on the sender side, and verify their uniqueness on the receiver side.
</p-en>
<p-ch>
	新鲜性保证通常建立在一个已经提供完整性保证的系统之上，通过在每个消息中添加一个独特的信息。新鲜性方案的主要挑战是如何经济地维持在发送方生成唯一信息和在接收方验证其唯一性所需的状态。
</p-ch>
<p-en>
	A popular solution for gaining freshness guarantees relies on nonces, single-use random numbers. Nonces are attractive because the sender does not need to maintain any state; the receiver, however, must store the nonces of all received messages.
</p-en>
<p-ch>
	获得新鲜性保证的一个流行的解决方案依赖于nonce，即一次性使用的随机数。Nonces很有吸引力，因为发送者不需要保持任何状态；然而，接收者必须存储所有已接收信息的noncs。
</p-ch>
<p-en>
	Nonces are often combined with a message timestamping and expiration scheme, as shown in Figure 46. An expiration can greatly reduce the receiver's storage requirement, as the nonces for expired messages can be safely discarded. However, the scheme depends on the sender and receiver having synchronized clocks. The message expiration time is a compromise between the desire to reduce storage costs, and the need to tolerate clock skew and delays in message transmission and processing.
</p-en>
<p-ch>
	Nonces通常与消息时间戳和过期方案相结合，如图46所示。过期可以大大降低接收者的存储需求，因为过期消息的noncs可以被安全地丢弃。然而，该方案依赖于发送方和接收方具有同步的时钟。消息过期时间是在降低存储成本的愿望和需要容忍时钟偏斜以及消息传输和处理中的延迟之间的折中方案。
</p-ch>
<img src="fig.46.jpg" width="" height="" alt="" />
<p-en>
	Figure 46: Freshness guarantees can be obtained by adding timestamped nonces on top of a system that already offers integrity guarantees. The sender and the receiver use synchronized clocks to timestamp each message and discard unreasonably old messages. The receiver must check the nonce in each new message against a database of the nonces in all the unexpired messages that it has seen.
</p-en>
<p-ch>
	图46: 新鲜性保证可以通过在一个已经提供完整性保证的系统上增加打上时间戳的nonces来实现。发送方和接收方使用同步的时钟对每个消息打上时间戳，并丢弃不合理的旧消息。接收者必须检查每一条新消息中的nonce, 将其与与一个数据库中的nonce进行对比. 该数据库中的nonce都是它在之前的消息中看到过的, 并且是还未过期的.[<remark-ch>估计过期的nonce就可以重用了</remark-ch>]
</p-ch>
<p-en>
	Alternatively, nonces can be used in challenge-response protocols, in a manner that removes the storage overhead concerns. The challenger generates a nonce and embeds it in the challenge message. The response to the challenge includes an acknowledgement of the embedded nonce, so the challenger can distinguish between a fresh response and a replay attack. The nonce is only stored by the challenger, and is small in comparison to the rest of the state needed to validate the response.
</p-en>
<p-ch>
	另外，nonces也可以用于挑战-响应协议中，这种方式可以消除存储开销问题。挑战者生成一个nonce并将其嵌入到挑战消息中。对挑战的响应包括对嵌入的非ce的确认，因此挑战者可以区分新的响应和重放攻击。非ce仅由挑战者存储，与验证响应所需的其他状态相比，非ce的容量很小。
</p-ch>

</body>
</html>	